News
GoSerpent backdoor attacks in Southeast Asia
9+ hour, 15+ min ago (952+ words) In February 2026 we discovered a set of malicious activities that have been ongoing since late 2025. These activities involved a RAT module written in Go with proxy capabilities, serving as the main stage of the attack. The attack targeted government and…...
OkoBot framework infection chain
1+ day, 11+ hour ago (789+ words) We dubbed this updated TookPS campaign “OkoBot”. Original OkoBot infection chain New OkoBot infection chain Both infection vectors trigger the execution of the malicious script TookPS, which installs SSH on the victim’s system, establishes a connection to the attacker-controlled SSH…...
When checking the URL isn’t enough: phishing via the Microsoft identity platform
1+ week, 3+ day ago (796+ words) 2. Displaying the code to the user The device displays both the user_code and the verification_uri to the user, instructing them to complete authentication on another device. For instance, a smart TV will display the code and URL — often rendering the verification_uri as a…...
Armored Likho’s new weapon: BusySnake Stealer
1+ week, 6+ day ago (1633+ words) posted 03 Jul 2026 The downloaded archives are extracted into the $appdata\WindowsHelper directory. This serves as the malware’s working directory, where all subsequent components of the attack are staged and executed. The fetched package contains the following components: Once executed, the…...
How a single ScreenConnect incident exposed a massive campaign
2+ week, 1+ day ago (1337+ words) posted 01 Jul 2026 During a recent investigation engagement, the Kaspersky Managed Detection and Response (MDR) team discovered the ScreenConnect remote access tool being leveraged to deploy and execute an AsyncRAT payload. We continue to break down complex, multi-stage incidents like this…...
How the ToddyCat APT group gains access to Gmail accounts
2+ week, 2+ day ago (1644+ words) The attackers continued their search for ways to bypass security solutions and developed a new tool to gain access to a victim’s cloud account via the Google API. Armed with this tool, the group automated all stages of the attack…...
CVE-2024-2658 vulnerability in Schneider Electric software: risks to industrial control systems
2+ week, 6+ day ago (386+ words) posted 26 Jun 2026 This vulnerability is a CWE-427: Uncontrolled Search Path Element issue. It stems from a system application referencing an OpenSSL configuration file at a hardcoded path without proper access controls. We will examine the role the FlexNet Publisher component…...
Threat landscape for SMBs in 2026: fake AI tools, phishing and more
3+ week, 11+ hour ago (784+ words) Small and medium-sized businesses (SMBs) remain attractive targets for cybercriminals – in both mass cyberattacks and sophisticated campaigns targeting larger enterprises through trusted relationship attacks. At the same time, smaller businesses may lack the robust cybersecurity policies and necessary resources to…...
MiniPlasma: detecting exploitation
1+ mon, 1+ week ago (437+ words) posted 03 Jun 2026 Over the past two months, the anonymous researcher Nightmare Eclipse (also known as Chaotic Eclipse) has publicly released six Windows vulnerabilities complete with ready-to-use exploits, without prior coordination with Microsoft. The most critical of these is MiniPlasma, a…...
Containers on fire: from container escapes to supply chain attacks
1+ mon, 2+ week ago (1103+ words) Today, attacks on container environments have evolved into full-fledged, multi-stage scenarios involving supply chain compromises, Kubernetes secrets theft, orchestration API abuse, and container escape attempts. This article examines the primary container attack vectors that retain top relevance today. A container…...